A new law (no. 235/2015) amending the legislation governing the processing of personal data and privacy in the electronic communications sector was published in the Official Gazette on 14 October 2015 and has entered into force (the “New Retention Law”). This article reviews the main changes introduced by the New Retention Law and also examines a recently proposed draft of secondary data protection legislation, which has yet to be enacted.

The New Retention Law seeks to regulate access to data held by providers of public networks for electronic communications and providers of electronic communications services (the “Providers”). In addition, the New Retention Law aims at providing objective criteria for regulating:

i. the access and use of personal data by public authorities and institutions, in particular the provisions relating to the obligation to obtain prior authorisation issued by courts for such access. Previously such authorisation by the courts was not required; and

ii. the types of personal data that must be processed and retained by electronic communications providers, including traffic data, equipment identification data and localisation data of their users and subscribers (the “Retained Data”).